DiPiazza

Where I break stuff, then write about it.

CompTIA PenTest+ (PT0-003) Study Notes

Study notes organized by exam domains + searchable cards

Table of Contents - 5 Exam Domains

Domain 1: Engagement Management (13%) Domain 2: Reconnaissance & Enumeration (21%) Domain 3: Vulnerability Discovery & Analysis (17%) Domain 4: Attacks & Exploits (35%) Domain 5: Post-exploitation & Lateral Movement (14%)

Domain 1: Engagement Management (13%)

1.1 Pre-Engagement: Scope Definition

  • Regulations/Frameworks/Standards: HIPAA, GDPR, NIST, PCI-DSS, etc.
  • Privacy: protect sensitive/personal info; maintain confidentiality.
  • Security: testing must not weaken defenses or violate rules.

1.1 Pre-Engagement: Rules of Engagement (ROE)

  • Exclusions: systems/services that are off-limits.
  • Test cases: specific scenarios defined ahead of time.
  • Escalation process: what to do when critical issues arise.
  • Testing window: approved timeframe to test.

1.1 Pre-Engagement: Agreement Types

  • NDA: non-disclosure; keep engagement info confidential.
  • MSA: general contract between client and service provider.
  • SoW: detailed description of work to be done.
  • ToS: rules/limitations for using the service/systems.

1.1 Pre-Engagement: Target Selection

  • CIDR ranges: IP blocks (e.g., 192.168.1.0/24).
  • Domains: DNS domains (example.com).
  • IP addresses: specific hosts to test.
  • URLs: specific web resources/endpoints.

1.1 Pre-Engagement: Assessment Types

  • Web: web apps/websites
  • Network: routers/switches/firewalls/infrastructure
  • Mobile: iOS/Android apps
  • Cloud: AWS/Azure/etc.
  • API: REST/SOAP/other APIs
  • Application: thick client/desktop software
  • Wireless: Wi-Fi + other wireless tech

1.2 Collaboration & Communication

  • Peer review: another tester validates work for accuracy.
  • Stakeholder alignment: ensure goals are clear/agreed.
  • Root cause analysis: why the vuln exists.
  • Escalation path: who to notify when issues are found.
  • Secure distribution: protect sensitive reports/findings.
  • Articulate risk/severity/impact: technical + business impact.
  • Goal reprioritization: shift focus based on findings/business need.
  • Business impact analysis: effect on operations.
  • Client acceptance: client approval of results/recommendations.

Shared Responsibility Model

  • Hosting provider: physical security + core infra (e.g., AWS servers).
  • Customer: secure configuration of cloud services/resources.
  • Penetration tester: stay in scope; follow ROE.
  • Third-party: vendors/services involved in the environment.

Legal & Ethical Considerations

  • Authorization letters: written permission to test legally.
  • Mandatory reporting: report certain findings if required by law.
  • Risk to the tester: physical/legal risks during certain tests.

1.3 Testing Frameworks & Threat Modeling

OSSTMM: physical, wireless, network testing framework
CREST: accreditation/certification body (banking/healthcare/gov common)
PTES: step-by-step penetration testing standard
MITRE ATT&CK: adversary tactics/techniques knowledge base
OWASP Top 10: top web app risks
OWASP MASVS: mobile app security requirements/testing
Purdue model: ICS/SCADA network design model

DREAD: Damage, Reproducibility, Exploitability, Affected users, Discoverability
STRIDE: Spoofing, Tampering, Repudiation, Info disclosure, DoS, Elevation of Privilege
OCTAVE: risk-based strategic assessment & planning

1.4 Penetration Test Report Components

  • Format alignment: matches client expectations (PDF/structure).
  • Documentation specs: consistent terminology + clear evidence.
  • Risk scoring: severity based on likelihood/impact (e.g., CVSS).
  • Definitions: clarify acronyms/terms.
  • Report components: executive summary, methodology, detailed findings, attack narrative, recommendations + remediation guidance.
  • Limitations/assumptions: what wasn’t tested/what was assumed.
  • Reporting considerations: legal, ethical, QC review, disclose AI use if applicable.

1.5 Findings → Remediation Categories

Technical controls: hardening, input sanitization/parameterized queries, MFA, encryption, patch mgmt, key rotation, cert mgmt, secrets mgmt, segmentation, firewalls/IDS/IPS.
Administrative controls: RBAC, SSDLC, minimum password requirements, policies & procedures.
Operational controls: job rotation, time-of-day restrictions, mandatory vacations, user training.
Physical controls: access control vestibule (mantrap), biometrics, video surveillance.

Domain 2: Reconnaissance & Enumeration (21%)

2.1 Information Gathering Techniques

  • Active recon: direct interaction (ping, port scan).
  • Passive recon: no direct interaction (DNS/social media).
  • OSINT: social media, job boards, code repos (GitHub), breach/password dumps.
  • DNS: lookups + reverse lookups; map infra.
  • Cached pages: Google Cache / Wayback Machine.
  • Certificate transparency: find subdomains/internal systems.
  • Information disclosure: misconfigs, comments in code, exposed services.
  • Search engine enumeration: advanced operators (Google hacking).
  • Protocol scanning: TCP/UDP to discover services.
  • Network sniffing: capture traffic/credentials (includes IoT/OT like Modbus/DNP3).
  • Banner grabbing: identify service/version via Netcat/Telnet.
  • HTML scraping: extract usernames/emails/metadata from sites.

2.2 Enumeration Techniques

  • OS fingerprinting: infer OS via responses/behavior.
  • Service discovery: identify running services (FTP/SSH/HTTP).
  • Protocol enumeration: version/capabilities.
  • DNS enumeration: subdomains/zone transfers.
  • Directory enumeration: web paths/files.
  • Host discovery: live hosts (ping sweep).
  • Share enumeration: SMB shares/resources.
  • User/email enumeration: valid accounts via responses/errors.
  • Wireless enumeration: SSIDs/security config.
  • Permission enumeration: rights/privileges on files/users.
  • Secrets enumeration: cloud keys, passwords, API keys, session tokens.
  • Attack path mapping: pivot paths between systems.
  • WAF enumeration: detect WAF behavior; find origin IP behind WAF.
  • Web crawling: automate discovery of links/params/directories.
  • Manual enumeration: robots.txt, sitemap.xml, CMS plugins (WordPress/Drupal).

2.3 Modify Scripts for Recon & Enumeration

  • Information gathering: automate OSINT/scanning/scraping.
  • Data manipulation: extract/transform/store collected data.
  • Languages: Bash, Python (Scapy/BeautifulSoup), PowerShell.
  • Logic constructs: loops, conditionals, boolean/string/arithmetic operators.
  • Libraries/functions/classes: reusable code (requests, socket, etc.).

2.4 Recon & Enumeration Tools (Quick Definitions)

Wayback Machine: old site versions
Maltego: relationship/link analysis mapping
Recon-ng: modular OSINT automation
Shodan: search exposed internet devices/services
SpiderFoot: automated OSINT + integrations
WHOIS: domain registration details
nslookup/dig: DNS record queries
Censys: public-facing infra + cert discovery
Hunter.io: find/verify email addresses
DNSdumpster: DNS mapping tool
Amass: deep DNS enum/asset discovery
Nmap (+NSE): host/port/service scanning + scripts
theHarvester: emails/hosts from public sources
WiGLE: crowdsourced Wi-Fi mapping
InSSIDer: local Wi-Fi analysis GUI
OSINTframework: OSINT tool directory
Wireshark/tcpdump: packet capture/analysis
Aircrack-ng: Wi-Fi security assessment suite

Domain 3: Vulnerability Discovery & Analysis (17%)

3.1 Vulnerability Discovery Techniques

  • Container scans: Docker/container vulns + misconfigs.
  • Sidecar scans: auxiliary components in microservices.
  • Application scans: DAST, IAST, SCA, SAST (incl. IaC + source analysis).
  • Mobile scan: mobile app/platform vulns.
  • Network scans: ports/services; TCP/UDP; stealth scans.
  • Host-based scans: machine-specific checks.
  • Authenticated vs unauthenticated: deeper insight vs outside-in view.
  • Secrets scanning: exposed keys/tokens in repos.
  • Wireless: SSID/channel/signal strength scanning.
  • ICS assessment: manual assessment + port mirroring for safe monitoring.

3.1 Tools

Nikto: web server scanner • OpenVAS/Greenbone: vuln scanner • TruffleHog: secrets in repos • BloodHound: AD relationships/attack paths • Nessus: commercial vuln scanner • PowerSploit: offensive PowerShell toolkit • Grype/Trivy: container/SBOM scanning • Kube-hunter: Kubernetes security issues

3.2 Analyze Recon/Scan/Enum Output

  • Validate results: false positives, false negatives, true positives.
  • Scan completeness: ensure all targets/ports/services were covered.
  • Troubleshoot configs: firewall blocks, bad creds, incorrect scope, scan settings.
  • Public exploit selection: match findings to Exploit-DB/Metasploit to confirm exploitability.
  • Use scripting: Bash/Python to validate and probe further.

3.3 Physical Security Concepts

  • Tailgating: unauthorized entry by following someone through a secure door.
  • Site surveys: on-site inspection for physical weaknesses.
  • USB drops: leaving malicious USBs hoping someone plugs them in.
  • Badge cloning: duplicating access badges.
  • Lock picking: manipulating locks for unauthorized entry.

Domain 4: Attacks & Exploits (35%)

4.1 Prioritize Targets & Prepare Attacks

  • High-value assets: DCs, databases, critical systems.
  • Metrics: CVSS (severity), CVE (known vuln), CWE (weakness category), EPSS (likelihood of exploitation).
  • Other factors: EOL systems, default configs, exposed/running services, weak crypto (MD5/DES), defensive controls (FW/IDS/IPS/EDR).
  • Capability selection: choose tools/exploits; customize (code analysis), plan attack path/diagrams/storyboard; respect scope limitations; label sensitive systems.

4.2 Network Attacks (Types + Tools)

  • Attack types: default creds, on-path/MITM, certificate services abuse, misconfigured services, VLAN hopping, multihomed host abuse, relay attacks, share enumeration, packet crafting.
  • Tools: Metasploit, Netcat, Nmap (+NSE), Impacket, CrackMapExec (CME), Wireshark/tcpdump, msfvenom, Responder, Hydra.

4.3 Authentication Attacks (Types + Tools)

  • Attack types: MFA fatigue, pass-the-hash/ticket/token, Kerberos attacks, LDAP injection, dictionary, brute force, mask, password spraying, credential stuffing, OIDC/SAML attacks.
  • Tools: CME, Responder, hashcat, John the Ripper, Hydra, BloodHound, Medusa, Burp Suite.

4.4 Host-Based Attacks (Objectives Snapshot)

Types: priv esc, credential dumping, tool bypass, misconfigs, obfuscation, shell/kiosk escape, injection/hollowing, log tampering, unquoted service path.
Tools: Mimikatz, Rubeus, Certify, Seatbelt, PowerShell/ISE, PsExec, Evil-WinRM, LOLBins.

4.5 Web Application Attacks (Objectives Snapshot)

Types: brute force, traversal, SSRF/CSRF, deserialization, injections (SQL/command/XSS/SSTI), IDOR, session hijack, RFI/LFI/web shells, API abuse, JWT manipulation.
Tools: Burp, ZAP, Postman, sqlmap, Gobuster/DirBuster, Wfuzz, WPScan, TruffleHog.

4.6 Cloud-Based Attacks (Objectives Snapshot)

Types: metadata service abuse, IAM misconfigs, third-party integration abuse, exposed buckets/public services, logging exposure, image/artifact tampering, supply chain, runtime attacks, container escape, trust abuse.
Tools: Pacu, Docker Bench, Kube-hunter, Prowler, ScoutSuite, cloud-native vendor tools.

4.7 Wireless Attacks (Objectives Snapshot)

Attacks: wardriving, evil twin, jamming, fuzzing, packet crafting, deauth, captive portal, WPS PIN.
Tools: WPAD, WiFi-Pumpkin, Aircrack-ng, WiGLE, InSSIDer, Kismet.

4.8 Social Engineering (Objectives Snapshot)

Attacks: phishing/vishing/whaling/spearphishing/smishing, dumpster diving, surveillance, shoulder surfing, tailgating, eavesdropping, watering hole, impersonation, credential harvesting.
Tools: Gophish, Evilginx, theHarvester, Maltego, Recon-ng, BeEF, SET.

4.9 Specialized Systems (Objectives Snapshot)

Mobile: info disclosure, jailbreak/rooting, permission abuse • AI: prompt injection, model manipulation • OT: register/CAN/Modbus, plaintext/replay • NFC/RFID/Bluetooth: bluejacking, spamming
Tools: Scapy, tcprelay, Wireshark/tcpdump, MobSF, Frida, Drozer, ADB, Bluecrack.

4.10 Scripting to Automate Attacks (Objectives Snapshot)

PowerShell: Empire/PowerSploit, PowerView, PowerUpSQL, AD search • Bash: I/O mgmt + data manipulation • Python: Impacket, Scapy • BAS: Caldera, Infection Monkey, Atomic Red Team

Domain 5: Post-exploitation & Lateral Movement (14%)

5.1 Persistence

  • Mechanisms: scheduled tasks/cron, service creation, registry keys.
  • Access: reverse shell, bind shell, backdoors (web shell/trojan), C2 frameworks.
  • Accounts: add new accounts; obtain valid creds.
  • Advanced: rootkits, browser extensions, tampering security controls.

5.2 Lateral Movement

  • Movement: pivoting, relay creation.
  • Enumeration: service discovery, network traffic discovery, addl credential capture/dumping, string searches.
  • Service targets: SMB/fileshares, RDP/VNC, SSH, LDAP, RPC/DCOM, FTP, Telnet, HTTP/HTTPS web interfaces, LPD/JetDirect, WMI, WinRM.
  • Tools: LOLBins (netstat/net/cmd/explorer/ftp/mmc/rundll/msbuild/route/strings/findstr), Covenant, CME, Impacket, Netcat, sshuttle, Proxychains, PowerShell ISE, batch files, Metasploit, PsExec, Mimikatz.

5.3 Staging & Exfiltration Concepts

  • Prep: file encryption + compression.
  • Covert channels: steganography, DNS, ICMP, HTTPS.
  • Paths: email, cloud storage, cross-account resources, text storage sites.
  • Other: alternate data streams, virtual drive mounting.

5.4 Cleanup & Restoration

  • Remove persistence mechanisms
  • Revert configuration changes
  • Remove tester-created credentials
  • Remove tools
  • Spin down infrastructure
  • Preserve artifacts
  • Secure data destruction

Get in Touch

Email LinkedIn GitHub